What's wrong with my code?
-
def Submit_btn(self): USERNAME = self.username.text() PASSWORD = self.password.text() self.query = QSqlQuery("SELECT username,password FROM users") while (self.query.next()): user_data = self.query.value(0).toString() pass_data = self.query.value(1).toString() if USERNAME == user_data and PASSWORD == pass_data: if USERNAME == "admin" and PASSWORD == "password": print "Login as Administrator" return True if USERNAME != "admin" and PASSWORD != "password": print "Log is as User" if USERNAME != user_data and PASSWORD != pass_data: print "wrong" self.ctr += 1 print self.ctr if self.ctr >= 10: sys.exit()If i enter wrong input with users account the increament for wrong input wont count
-
I don't know python
def Submit_btn(self): USERNAME = self.username.text() PASSWORD = self.password.text() self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username= ? and password = ?") self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD) if(!self.query.exec()): print "Database query failed" return False if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" else: print "Log is as User" return True print "wrong" self.ctr += 1 print self.ctr if self.ctr >= 10: sys.exit() return False
P.S.
And this kids is how you do user authentication completely wrong!You should store the salt (a random string) for each account in plain text or encrypted in the database, retrieve it, (decrypt it if it's encrypted) and use it with the supplied password in a QCryptographicHash or with somthing better now compare this hash with the one in the database
-
no, you don't have to modify anything.
if(!self.query.exec()): print "Database query failed" return Falsechecks that the database ran the query correctly, it says nothing on the data inside it. the next block
if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" else: print "Log is as User" return Truehere we check if the username and passwords were in the database
-
@Gelo but the problem is everytime i input a correct query for example the admin account it prints the "login as admin" and but after it print the admin mode "Database query failed" shows up first
-
def Submit_btn(self): USERNAME = self.username.text() PASSWORD = self.password.text() self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD))) self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD) if(self.query.exec_()): print "Database query failed" self.ctr += 1 print self.ctr if self.ctr >= 3: print "3 wrong attemps will terminate in a second!" time.sleep(2) sys.exit() return False if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" print self.query.exec_() subprocess.Popen("__init__.py",shell=True) sys.exit() else: print "View Mode!" sys.exit() return True -
@Gelo said in Whats wrong with my code!:
self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))
http://www.w3schools.com/sql/sql_injection.asp
if(self.query.exec_()):
why did you remove the not? it should be
if(not self.query.exec_()):print "3 wrong attemps will terminate in a second!"
you are not checking the attempts in the in the right place
print self.query.exec_()
why are you executing the query again?
if(not self.query.exec_()): print "Database query failed" else: if(self.query.next()): if USERNAME == "admin": print "Login as Administrator" print self.query.exec_() subprocess.Popen("__init__.py",shell=True) sys.exit() else: print "View Mode!" sys.exit() return True else: self.ctr += 1 print self.ctr if self.ctr >= 3: print "3 wrong attemps will terminate in a second!" time.sleep(2) sys.exit() return False -
if(not self.query.exec()):checks that the query did run correctly, it does not check your input.
The input is checked byif(self.query.next()):if that is true then username and password were found in the database.Please do not overlook the SQL injection bug:
self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD)))
http://www.w3schools.com/sql/sql_injection.asp -
@Gelo said in Whats wrong with my code!:
self.query = QSqlQuery() self.query.prepare("SELECT username FROM users WHERE username = '%s' and password = '%s'"%(USERNAME,str(PASSWORD))) self.query.addBindValue(USERNAME) self.query.addBindValue(PASSWORD)I just wonder this works... did you read http://pyqt.sourceforge.net/Docs/PyQt4/qsqlquery.html for how to use prepare statement and binding values?
To bind values to a prepared statement you need placeholders.
According to the examples on http://pyqt.sourceforge.net/Docs/PyQt4/qsqlquery.html it should be done like this:Named binding using named placeholders:
QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (:id, :forename, :surname)"); query.bindValue(":id", 1001); query.bindValue(":forename", "Bart"); query.bindValue(":surname", "Simpson"); query.exec();Positional binding using named placeholders:
QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (:id, :forename, :surname)"); query.bindValue(0, 1001); query.bindValue(1, "Bart"); query.bindValue(2, "Simpson"); query.exec();Binding values using positional placeholders (version 1):
QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (?, ?, ?)"); query.bindValue(0, 1001); query.bindValue(1, "Bart"); query.bindValue(2, "Simpson"); query.exec();Binding values using positional placeholders (version 2):
QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (?, ?, ?)"); query.addBindValue(1001); query.addBindValue("Bart"); query.addBindValue("Simpson"); query.exec();
